1. Introduction

1.1 Who should read this Privacy Policy?

You should read this policy if you are:

• a service recipient, program participant or client of MDSI
• a parent or legal guardian of a minor (persons under the age of 18) who is a service recipient, program participant or client of MDSI
• a third party service provider funded to deliver services under a MDSI funding agreement
• a person who volunteers at MDSI
• a student undertaking work placement
• a person seeking employment with MDSI
• a person who is or was employed by MDSI
• making a donation to MDSI

1.2 The Privacy Act 1988

Important changes to the Privacy Act 1988 (Cth) commenced on 12 March 2014.

Prior to this date MDSI followed the privacy principles set out in both the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs). As of 12 March 2014, the IPPs and NPPs were replaced by a single set of privacy principles – the Australian Privacy Principles (APPs).

It is the APPs that now regulate how we collect, hold, use and disclose personal information, and how individuals can access and/or correct that information.

1.3 MDSI and your privacy

MDSI is a not-for-profit charity that offers community and support services. MDSI seeks to ensure that our organisation and our services are relevant and accessible. Based on an integrated service delivery system MDSI’s programs are specifically tailored through five broad service areas: Children, Youth, Family, Disability and Aged.

MDSI takes privacy seriously and will only collect, hold, use and disclose your personal information in accordance with the Privacy Act.

If MDSI does not receive personal information about you the Privacy Act will not apply.

1.4 Remaining anonymous or using a pseudonym

MDSI understands that anonymity is an important element of privacy and some individual’s may wish to be anonymous or use a pseudonym when interacting with MDSI.

Where possible, individuals will have the right to remain anonymous or adopt a pseudonym when dealing with MDSI. For example, if you contact our Information Officer with a general query you do not need to provide us with your details. However, for most of our services and activities we need sufficient information to enable us carry out our functions and provide our services and programs.

1.5 Information held by contractors

Under the Privacy Act, MDSI is required to take contractual measures to ensure contracted service providers (including sub-contractors) comply with the same privacy requirements applicable to MDSI.

2. MDSI’s personal information handling practices

2.1 Collection of personal information

Generally, we collect personal information directly from the relevant individual. Sometimes, we may need to collect information about a client from a third party, such as their representative, a parent, carer, guardian or other responsible person or a third party such as a health service provider, government or similar agency or the client's educational institution or workplace.

We will do this if the client has consented for us to collect the information in this way, or where it is not reasonable or practical for us to collect this information directly from the client (such as in an emergency, because the client is not able to provide the information required or where collection in this way is a reasonable and efficient way to collect the information without inconvenience to the client).

We generally use forms, online portals and other electronic or paper correspondence to collect this information.

Information may be collected directly by MDSI or by people or organisations acting on behalf of MDSI. MDSI may also obtain personal information collected by other Commonwealth agencies, State or Territory government bodies, or other organisations.

• employment and personnel matters for MDSI staff and volunteers (including security assessments)
• the performance of its legislative and administrative functions
• individuals participating in MDSI funded programs and initiatives
• the management of contracts and funding agreements
• the management of audits (both internal and external)
• correspondence from members of the public to MDSI
• compliments and complaints (including privacy complaints) made and feedback provided to MDSI
• requests made to MDSI under the Freedom of Information Act 1982 (Cth)
• the provision of legal advice by internal and external lawyers.

MDSI will not ask you for any personal information which we do not need. The Privacy Act requires that we should collect information for a purpose that is reasonably necessary for, or directly related to, a function or activity of MDSI.

When we collect personal information, we are required under the Privacy Act to notify you of a number of matters. These include the purposes for which we collect the information, whether the collection is required or authorised by law and any person or body to whom we usually disclose the information. MDSI generally provides this notification by having Privacy Notices on our paper-based forms and online portals.

2.2 Kinds of personal information collected and held

In performing its functions, MDSI collects and holds the following kinds of personal information (which will vary depending on the context of the collection):

On occasions, a range of sensitive information may also be collected or held about you, including information about:

• your racial or ethnic origin;
• your health (including information about your medical history and any disability or injury you may have)
• any criminal record and/or traffic offence record you may have, and on occasion
• photographs, video recordings and audio recordings

2.3 How MDSI collects and holds personal information

MDSI collects personal information through a variety of different methods including:

MDSI holds personal information in a range of paper-based and electronic records.

All reasonable steps are taken to keep secure any information that is held about individuals.

MDSI employees and volunteers are obliged to respect the confidentiality of any personal
information held by us and are provided with training and information on the APPs.

2.4 Purposes for which personal information is collected, held, used and disclosed

MDSI collects personal information for a variety of different purposes relating to its functions and activities including:

• providing services to client
• performing its employment and personnel functions in relation to MDSI staff and volunteers
• performing its legislative and administrative functions
• policy development, research and evaluation
• complaints handling
• program management
• contract management and
• management of correspondence with the public.

MDSI only uses and discloses personal information for the primary purposes for which it is collected or for a closely related secondary purpose; e.g. where the client's needs have changed or become extended or the client has consented to the use or disclosure of the information for the secondary purpose. MDSI will only use your personal information for secondary purposes where it is able to do so in accordance with the Privacy Act.

If necessary to carry out our functions and provide our services and programs, we may need to disclose your personal and sensitive information to external service providers (such as utility/energy providers, legal service providers, other community service providers, etc.).

We may also be required to disclose information by or under law or for various legal purposes.

2.5 Direct Marketing

We collect contact details (which may include name, address, email address, and mobile phone number) when individuals interact with us in order to distribute newsletters and other communications in print and electronic form from time to time.

Please contact our Privacy Officer using the contact details set out at section 5.1 of this Policy to have your details removed from our mailing lists.

We do not supply our database information to other marketing organisations not acting on our behalf.

2.6 How to seek access to and correction of personal information

You have a right under the Privacy Act to access personal information we hold about you.

You also have a right under the Privacy Act to request corrections to any personal information that MDSI holds about you if you think the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

However, the Privacy Act sets out circumstances in which MDSI can decline access to or correction of personal information (e.g. where access is unlawful under a secrecy provision in portfolio legislation, such as the Aged Care Act 1997).

To access or seek correction of personal information we hold about you, please contact MDSI using the contact details set out at section 5.1 of this Policy.

It is also possible to access and correct documents held by MDSI under the Freedom of Information Act 1982 (the FOI Act).

2.7 Accidental or unauthorised disclosure of personal information

MDSI will prevent unauthorised persons gaining access to an individual’s confidential records and permit individuals access to their own records when this is reasonable and appropriate.

MDSI will take seriously and deal promptly with any accidental or unauthorised disclosure of personal information.

If you believe we have breached the Australian Privacy Principles please contact our Privacy Officer using the contact details set out at section 5.1 of this Policy.

2.8 Data Security

Access to personal information held by MDSI is restricted to authorised persons who are MDSI employees or volunteers.

Electronic and paper records containing personal information are protected in accordance with the relevant MDSI policy and procedures.

Generally MDSI only collects personal information from its website where a person chooses to provide that information.

If you visit our website to read or download information, MDSI records a range of technical information which does not reveal your identity. This information includes your IP or server address, your general locality and the date and time of your visit to the website. This information is used for statistical and development purposes.

No attempt is made to identify you through your browsing other than in exceptional circumstances, such as an investigation into the improper use of the website.

Some functionality of MDSI’s website is not run by MDSI and third parties may capture and store your personal information outside Australia. These third parties include (but are not limited to) Facebook, YouTube, MailChimp, SurveyMonkey, Twitter and Google and may not be subject to the Privacy Act. MDSI is not responsible for the privacy practices of these third parties and encourages you to examine each website's privacy policies and make your own decisions regarding their reliability.

The MDSI website contains links to other websites. MDSI is not responsible for the content and privacy practices of other websites and encourages you to examine each website's privacy policies and make your own decisions regarding the reliability of material and information found.

2.10 Cookies

MDSI's websites may use cookies for site administration purposes. If for any reason you wish not to take advantage of cookies, you may have your browser not accept them, although this may disable or render unusable some of the features of MDSI's websites.

MDSI's websites may also detect and use your IP address or domain name for internet traffic monitoring and capacity purposes or to otherwise administer the website. No personal information is collected, rather the patterns of usage of visitors to the website may be tracked for the purposes of providing improved service and content based on aggregate or statistical review of user site traffic patterns.

2.11 Electronic Communication

There are inherent risks associated with the transmission of information over the Internet, including via email. You should be aware of this when sending personal information to us via email or via our website. If this is of concern to you then you may use other methods of communication with MDSI, such as post, fax, or phone (although these also have risks associated with them).

MDSI only records email addresses when a person sends a message or subscribes to a mailing list. Any personal information provided, including email addresses, will only be used or disclosed for the purpose for which it was provided.

2.12 Disclosure of personal information overseas

MDSI does not share your personal information with entities outside of Australia.

3. Complaints

3.1 MDSI’s process for handling privacy breach complaints

If you believe we have breached the Australian Privacy Principles please contact our Privacy Officer using the contact details set out at section 5.2 of this Policy.

We take all complaints very seriously and we will endeavour to respond to your complaint and address your concerns as soon as reasonably practicable.

3.2 How to complain to the OAIC

You also have the option of contacting the OAIC (Office of the Australian Information Commissioner) if you wish to make a privacy complaint against MDSI.

The OAIC website (www.oaic.gov.au) contains information on how to make a privacy complaint.

If you make a complaint directly to the OAIC rather than to MDSI, the OAIC may recommend you try to resolve the complaint directly with MDSI in the first instance.

4. Privacy Policy Updates

Privacy processes and systems are regularly audited as part of the MDSI audit program and staff, service users and other stakeholders are encouraged to provide ongoing feedback on issues and areas where improvements can be made.

5. How to contact us

5.1 Enquiries and requests to access or correct personal information

If you wish to:

• make a complaint about a breach of your privacy
• query how your personal information is collected, held, used or disclosed
• ask questions about this Privacy Policy
• obtain access to or seek correction of your personal information
• remove your details from our mailing lists

please contact MDSI’s Privacy Officer using the following contact details: